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ABSTRACT 

In the design phase of a system, how does a design engineer or 
manager choose between a subsystem with .990 reliability and a more 
costly subsystem with .995 reliability? When is the increased cost 
justified? 

High reliability is not necessarily an end in itself but may be 
desirable in order to reduce the expected cost due to subsystem 
failure. However, this may not be the wisest use of funds since 
the expected cost due to subsystem failure is not the only cost 
involved. The subsystem itself may be very costly. We should not 
consider either the cost of the subsystem or the expected cost due 
to subsystem failure separately but should minimize the total of 
the two costs , i.e., the total of the cost of the subsystem plus 
the expected cost due to subsystem failure. 

This final report discusses the Combined Analysis of Reliability, 
Redundancy, and Cost (CARRAC) methods which were developed under 
Grant Number NAG3-1100 from the NASA Lewis Research Center. CARRAC 
methods and a CARRAC computer program employ five models which can 
be used to cover a wide range of problems. The models contain an 
option which can include repair of failed modules. 


ASSUMPTIONS AND NOTATION 

In this paper assume perfect switching devices (if needed) of 
negligible cost and independence of the subsystem modules. 

NOTATION 

n number of modules in the subsystem 

k minimum number of good modules for the subsystem to be good 

r reliability of the whole system for other than failure of the 

subsystem 

r s reliability of the subsystem 
c* loss due to failure of the subsystem 

c 2 loss due to subsystem output at v c (for models 3, 4, and 5) 

c 3 cost of a one module subsystem capable of full output 

c* cost of a module in a k-out-of-n:G subsystem when k is fixed 
(see later discussion) 
c 6 cost to repair a module 
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g(k) function which relates cost of subsystem to the number of 
modules in the subsystem 

v c fraction of subsystem output necessary so that the mission is 
not a failure 

p probability that a module is good 

q probability that a module fails or 1-p 

C the total of the cost of the subsystem itself plus the expect- 
ed loss due to subsystem failure 
A. failure rate of a module (models 4 and 5 and repairs) 

Tq mission time 

H r the mean time to repair a module 

a r the standard deviation of the time to repair a module 

INTRODUCTION 

Since expected value is an important ingredient in our quest for 
finding the best subsystem, consider the expected cost due to 
subsystem failure, denoted as E{cost due to subsystem failure}. As 
with all expected values, it depends upon both the dollar cost and 
the probability of its occurrence. Let c 1 be the cost due to 
failure of the subsystem, including all costs incurred by subsystem 
failure (but not the cost of the subsystem itself) . This number 
could be the entire cost of the main system (or even greater) if 
failure of the subsystem resulted in failure of the main system. 

In other instances c, would be less than the cost of the main sys- 
tem, e.g., failure of the subsystem resulted in only a partial 
failure of the main system. 

Now the expected cost due to subsystem failure is c, times the 
probability that this cost will be experienced. The only time that 
this cost will be experienced is if both the subsystem fails and 
the main system does not fail. If the main system fails, then we 
will not experience a subsystem failure. For example, if we're 
considering a power subsystem in a rocket, the rocket may explode 
on the launch pad due to a fuel problem. Even if the power subsys- 
tem would have failed in flight, we would not experience this 
failure. Let r be the reliability of the main system (for other 
than failure of the subsystem) and let r s be the reliability of the 
subsystem. [Note that Pr means "probability of". We will also use 
the fact that Pr{A and B) = Pr{A0B) = Pr{A)Pr(B| A) . ] Then 

E{cost due to subsystem failure) = c,Pr{ subsystem failureflmain 
system good}= c^rf subsystem failure | main system good) Pr(main 
system good} = c 1 (l-r s )r= rc.,(l-r s ). 

We can minimize this expected cost by building a subsystem with an 
extremely low probability of failure (high reliability) . However, 
it is not clear that we should build the most reliable subsystem 
possible since this will minimize only the expected cost due to 
subsystem failure but does not consider the cost of building the 
subsystem. We should not consider the two costs separately. We 
therefore minimize the total of the two costs, i.e., the total of 
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the cost of the subsystem plus the expected cost due to subsystem 
failure « The total cost to be minimized is 

C = cost of the subsystem + E{cost due to subsystem failure} 
= cost of the subsystem + rc^l-r^ (1) 

In minimizing cost C we see that ve are balancing the cost of the 
subsystem and the expected cost due to subsystem failure . 


SELECTING THE BETTER SUBSYSTEM 

Suppose that we are considering two subsystems. Subsystem 1, which 
costs $200 has a .97 reliability. Subsystem 2, with a cost of 
$100, has a .94 reliability. Without further analysis, there is no 
clear "best" subsystem and the choice is often based upon the 
amount budgeted for the subsystem. 

Assume that the two subsystems under consideration will be part of 
a main system which has a reliability (exclusive of the subsystem 
under consideration) of r = .96. We'll further assume that failure 
of the subsystem will result in a cost of c, = $10,000. Let us 
first compare the E{cost due to subsystem failure) for each of the 
two subsystems. 

For subsystem 1, 

E{ cost due to subsystem failure) = rc,Pr{ subsystem failure) 

= rc., ( l-r s1 ) 

= . 96x$10 , 00 Ox. 03 = $288. 

For subsystem 2 , 

E(cost due to subsystem failure) = rc^l-r^) 

= . 96x$10 , 00 Ox. 06 = $576. 

Subsystem 2 has a higher expected cost than subsystem 1. However, 
since 2 is also less expensive, we need to compare the overall 
expected cost, C, for 1 and for 2. 

For subsystem 1, 

C S1 = $200 + $288 = $488. 

For subsystem 2 , 

C s2 = $100 + $576 = $676. 

Since C S1 < C s2 , we select subsystem 1 over subsystem 2. 

For further information on expected values or on selecting the best 
subsystem, see [3]. 
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K-OUT-OF-N : G SUBSYSTEMS 

In this article we'll direct our attention to a specific type of 
subsystem, called a k-out-of-n:G subsystem. Such a subsystem has n 
modules, of which k are required to be good for the subsystem to be 
good. As an example consider the situation where the engineer has 
a certain power requirement. He may meet this requirement by 
having one large power module, two smaller modules, e tc. The 
number of modules required is called k. For example, the engineer 
may decide that k = 4. Then each module is 1/4 of the full 
required power. Therefore, the subsystem must have 4 or more 
modules for the full required power. The number of modules used in 
the subsystem is called n. For example, an n = 6 and k - 4 
subsystem would have 6 modules each of 1/4 power and thus would 
have the output capability of 1.5 times the required power. The 
engineer chooses n and k. Selection of the different values of n 
and k results in different subsystems, each with different costs 
and reliabilities. Since each n and k yields different subsystems 
with different costs, we can choose the subsystem (the n and k) 
which will minimize cost C. 


MODEL 1 


The simplest k-out-of-n: G model 
independent and all have common 
common probability of failure q 
good modules. Now 


is one where the modules are 
probability of being good p and 
= l-p. Let X count the number of 


E{cost due to subsystem failure} = rc, Pr{ subsystem failure} 


= r Ci 


Pr ( X < k ] =r c 1 



p x q n ~ x % 


( 2 ) 


Recall that C = cost of subsystem + E{cost due to subsystem 
failure}. We therefore need to also consider the cost of the 
subsystem. First consider a simple situation where k is fixed. 
Here we are free to choose n. Then n—k will be the redundancy or 
number of spares in the subsystem. If each module costs c 4 , then 
the cost of subsystem = nc 4 . Using this with (2) we obtain 

q — cost of subsystem + E{cost due to subsystem failure) 


We wish to find the n which minimizes cost C. 

The author has written a program (QuickBASIC 4.5) called CARRAC 
to find the n which minimizes C. Additionally this program will, 
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if you desire, graph C as a function of either p or c t . CARRAC 
will plot the best subsystems (i.e. the ones with the lowest C's) 
over ranges of p or c, . This allows you to not only select the 
best subsystem for a particular value of p or c, but also to view 
what happens to C for nearby values of p or c,. 

As an example, consider the situation when k = 1, where only one 
module is required to be operational for the subsystem to be 
operational. The reliability of this single module is estimated 
to be .95 (p = .95). Let the reliability of the system for other 
than failure of the subsystem be .9, (r = .9). The cost of one 
module is 1 (c 4 = 1) million dollars (throughout the remainder of 
the paper all costs will be in millions of dollars) . The cost due 
to failure of this subsystem is 10 (c, = 10) . 


Figure 1 shows a plot of C for p 
ranging from .79 to .99 and n's 
of 1 through 4 . When the 
reliability of a single module 
p = .95, n = 1 has the lowest 
value of C. Therefore the best 
subsystem in this case is one 
with no spares. We see from 
figure 1 that the n = 1 
subsystem (no spares) has the 
lowest value of C for any p > 
.87. If p < .87, then n = 2 
(one spare) has the lowest value 
of C. For p < .79, we would 
view the graph over the range of 
p < .79. 




the n = 2 subsystem is best, 
redundancy (n=3) is required. 
(n=l) is required. 


Now suppose instead that c 1 
(cost due to failure of the 
subsystem) is 50. Figure 2 
shows the plot of C for Ci = 50. 
We first note that if p = .95, 
then the n = 2 subsystem is the 
best. Comparing figures 1 and 2 
(at p = .95) we see that the 
larger value of c y (in figure 2) 
requires a larger value of n. 
This principle holds in general. 
If the cost of subsystem 
failure increases then more 
redundancy is required. If .83 
< p < .98, figure 2 shows that 
If p is below .83 then more 

.98, then no redundancy 


If p > 
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MODEL 2 


If, in model 1, we are also free to choose k in our subsystem, 
then we have model 2. Let c 3 be the cost of a subsystem 
consisting of exactly one module. Further suppose that the cost 
of a subsystem with exactly k modules is c^ g(k). Here g(k) is 
the factor which measures the (generally) increased cost of 
building a subsystem consisting of k smaller modules rather than 
one large module. If g(k) =1 for all k, then a subsystem of k 
modules costs the same as a subsystem consisting of a single 
module. Any g(k) may be used. For example, if a subsystem of 2 
smaller modules costs 4 times as much as a single module 
subsystem then g(2) = 4. Therefore this subsystem would cost c 3 
g(k) = c 3 g(2) = 4 c 3 . If a subsystem of 3 smaller modules costs 
7 times as much as a single module subsystem then g(3) =7. 

Other values for g(k) may be defined in a similar manner. 
Therefore, in the above example, g(l) = 1, g(2) = 4, g(3) = 7, 
etc. We also assume that each module in the subsystem costs 
c 3 g(k)/k, which is 1/k of the total cost for k modules. Since we 
have a total of n modules in the subsystem, then the cost of the 
subsystem = nc 3 g(k)/k. Using this with (2) we obtain 

C = cost of subsystem + E{loss due to subsystem failure) 


=n c 3 g(k)/k+r ( ] P x Q n ~ 

x-o ' x l 


For any particular situation with given values of c,, c 3 , r, p 
and g(k) we use CARRAC to select the n and k to minimize C as 
given above. There are two options for g(k) built into CARRAC. 
You may choose either g(k) = (l+b)g(k-l) or g(k) = k(l/k) , where 
you are free to set b or c. 

If you believe that the cost of building a subsystem of k modules 
increases (or decreases) linearly with k, then you would choose 
the first option g(k) = (l+b)g(k-l), with b > 0 (b < 0) . For 
example, if building a subsystem of two smaller modules costs 20% 
more than building a single module subsystem, 3 modules costs 20% 
more than a subsystem of two modules, etc., then let b = .2. If 
you believe that the cost of building a subsystem is 
exponentially proportional to the number of modules in the c 

subsystem then you would choose the second option g(k) = k(l/k) . 
For example, consider building a space electrical power 
subsystem. A rough rule of thumb says that the cost of smaller 
modules for a space electrical power subsystem is proportional to 
the electrical power raised to the .7, i.e., g(k) = k(l/k)‘ . 
Therefore, a subsystem consisting of a single module capable of 
full power costs c 3 g(l) = c 3 l(l/l) = 1.0c 3 . A subsystem 


6 



consisting of 2 modules, each of 1/2 power, costs c 3 g(2) = 
c 3 2 (1/2) = 1 . 2 3 c 3 to build, etc. An n = 3 and k = 2 subsystem, 
(one having 3 modules each of 1/2 power) costs nc 3 g(k)/k = 

3c 3 ( 1/2 ) */2 = 3c 3 x1 . 2 3/2 = 1.85c 3 to build. 


As an example of model 2 , 
suppose we are building a space 
electrical power subsystem. The 
cost due to subsystem failure, 
c,, is 240. Let the reliability 
of the system for other than 
failure of the subsystem be .9 
(r = .9). Suppose that the cost 
of building a single module 
capable of full power is 1 (c 3 = 

1) . Using the rule of thumb 
stated above, we use the option 
for g(k) with c = .7. All of 
the above values are entered 
into CARRAC as parameters. An 
estimate of p, the reliability of an individual module, is .96. 
If we are unsure of this estimate, we can use CARRAC to view 
(figure 3) the best subsystems over p ranging from .89 to .99. 

From figure 3, at p = .96, the n = 2, k = 1 subsystem is best 
(lowest value of C) . If p < .95, the n = 4, k = 2 subsystem is 
best. Note this is a flatter curve over the range of p, 
indicating a low value for C over a wide range of p. 




For the same example, suppose we 
wish to view what happens to C 
as c 1 varies. Figure 4 (from 
CARRAC) shows, if c, is below 
310, then the n = 2 , k = 1 
subsystem is best. However, for 
310 < c, < 400, the n = 5, k = 3 
subsystem is the best. For c t > 
400 the n = 4, k = 2 subsystem 
is the best. This type of 
analysis could be used whenever 
you are unsure of c, and wish to 
consider results over a range of 
values. 


MODEL 3 

Figure 5 shows the loss due to subsystem failure, where v is the 
ratio of the actual output of the subsystem to the specification 
output. If v drops below some critical value v c , the mission is 
a complete failure and the loss is c t . However, if v is at v c , 
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then the loss is only c 2 . As v 
increases above v c , this loss 
decreases until there is no 
loss at full output. 

Although h is linear in figure 
5 other loss functions, e.g., 
a decreasing multi-step 
function, are appropriate. If 
h(v) = a - av, v c < v < 1, a = 
c 2 /(l-v c ), (1) becomes 



x<kv c 

C=nc 2 g(k) /k+z c 1 22 ( ”) p x Q n ' x 
*-l 

+z 22 ( ) P x Q n ~ x (a-ax/k) . 

Xijcv c ' X’ 


The third term on the rhs is expected loss due to partial failure 
of the subsystem. Again we can find, by means of CARRAC, the n 
and k which minimize C. 


MODEL 4 

Suppose in model 3 (with c , = c 2 ) that mission time is also 
important. If modules fail exponentially with failure rate X, 
then the probability of a module still operating successfully at 
time t is exp(-Xt) . Let f(x,t) be the joint probability density 
function of x successes (n— x failures) and time t. Note that 
g (x) is the probability that , at time T 0 , exactly x modules will 
be operating successfully. 
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fit, x) 

=n [exp ( -X t) ] x [1-exp ( -X t) ] n_x ‘ 1 Xexp [-Xfc] [exp ( -X (T 0 - 1) ] x 

= - — [exp (-Xr 0 ) ] x Xexp(-Xfc) [1 -exp (-Xfc) ] n " x ~ 1 

x ! (n-x-1) ! 

o< t <r 0 , x=0, 1, . . . ,n- 1 . 

To 

Now gix) =j fit, x) dt 
o 

= (£) [exp ( -X!T 0 ) ] x [1-exp ( -XT 0 ) ] n ' x x=0, 1, . . . ,n-l 
with gin) =exp [-Xr 0 ] n . 

If the output fraction is v c at the start of the mission, our 
loss is c 2 . As v increases above v c , then this loss decreases 
until there is no loss at full output. With output at or above 
v , losses decrease with increasing time until there is no loss 
beyond mission time T 0 . Additionally, for any given t, h(v,t) 
decreases as v increases above v c . 

Consider now a general loss function h(v,t) [not necessarily the 
one illustrated by figure 6], Again, for a given t, h takes on 
values only for v = x/k. Now (1) becomes 

Jc — 1 r ° 

C=nc 2 g(k) /Jc+rV ihix/k.t) fix,t)dt. 

o (3) 

m 

Let hix/k, t) =d ix/k)'S^b j t J . 


Then, after integrating, (3) becomes 


jt-i 

C=nc 2 gik) /k+r Y]dix/k ) in-x) n [exp ( -Xr 0 ) ] x X 

X=Q ' X > 

[l-exp [-X (i+ 1 ) r 0 ] ] 52 um( ?_ \[kii+l)] :l - w Tt w 

w=0 \ J W l 
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We wish to find the n and k which minimize C. Minimizing C in 
(4) is appropriate for any loss function, h ( ) , of the form 
given in (3). Using the loss function given in figure 6, for 0 < 
x < kv c , d (x/k) =1, m = 1, b 0 = c 2 and b, = - c 2 T 0 ‘ . For kv^ < x 
< k-1 we have d(x/k) = 1 - x/k, m = 1, b 0 = a and b, = -aT 0 where 
a = c 2 (l-v c )" with 0 < v c < 1. 


j ( n-x ) exp [-A.T 0 ] x X 

w 2 (*> = Yj ( -1) i l* (i+l) 3 _1 [l-exp [-X (i+1) T 0 ] , 

i-o ' 1 I 

w, <*> =n j2 (_1)i 

[l-exp [ -X (i+l) T 0 ] -X (i+l) T 0 exp [~X (i+l) T 0 ] ] . 


Let w x (x) = 
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Using (4) we obtain 


x<kv c 

C=nc 2 g{k) /k+z £ c ^ (x) [w 2 ( x ) -r 0 ' 1 w 3 (x) 

x=0 


k-1 

+r £ [1-x/k] (x) [w 2 (x) -T 0 ' 1 w 3 (x) ]. 

Xikv c 


MODEL 4 APPLICATIONS 


Model 4 might reasonably be 
applied to non-recoverable 
systems which, at the end of 
their service life, have no 
intrinsic or salvage value or 
which are prohibitively 
expensive to recover. Examples 
include undersea sonar systems 
anchored in deep water, 
instrument/telemetry packages 
located in remote regions or 
communications satellites in 
geosynchronous orbit. For a 
geosynchronous communications 
satellite a number of subsystems could be chosen as an example. 
Let us examine the satellite power system which can be divided 
into smaller identical modules. We again use the rule of thumb 
which says that the cost of a space power subsystem is 
proportional to the electrical power raised to the .7 (g(k) = 
kCl/k)* 7 ). Suppose that the mission life is 7 years and the 
reliability of the satellite (exclusive of the power subsystem) 
over the mission life is .90. Because the satellite needs power 
for stationkeeping, computers and cooling, at least 10% of the 
specification power is needed for the satellite to survive. 
Therefore, v c is 0.1. The satellite generates $2 million per 
month revenue. In the event of satellite failure, a new 
satellite could be launched within two years at a cost of $115 
million. Therefore c, (or c 2 ) = 163 (115 plus 48 in lost 
revenue) . Here we will assume that revenue is roughly 
proportional to power, i.e., if a module of the power subsystem 
fails, then one or more channels are no longer available. We 
estimate X as 3.5(10’ 6 ) and again use CARRAC to view C over a 
range of X from 1(10* 6 ) to 6(10‘ 6 ). Figure 7 shows the 5 best 
subsystems. For X < 4 rio’ 6 ) the n = 2, k = 1 subsystem is 
optimal. For A. > 4(10'*), the n = 3, k = 1 subsystem is optimal. 


NOUL 4 
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MODEL 5 


Suppose we have a situation similar to 
model 4 but now assume a loss of c 1 if 
the output fraction from the subsystem 
is below v c anytime during the life of 
the mission. 

Model 5 could be applied to 
recoverable systems, systems which 
have inherent salvage value or manned 
systems. Examples include manned 
aircraft or spacecraft, recoverable 
undersea vehicles or spacecraft. 

Model 5 implies that if the output 
fraction of the subsystem falls below 
the critical value v c , something 
catastrophic will occur, such as loss 
of the whole system or loss of life. 

With these systems, loss or 
significant degradation of a critical 
subsystem might cause loss of the 
craft and occupants. An example of such a loss function is given 
by figure 8. 

With this loss function, for x < kv c , b 0 = c 2 and b, = 0 and for 
kv c < x < k-1, we have d(x^k) = 1 - x/k, m = 1, b 0 = a and b, = - 
aT 0 1 where a = c 2 (1 - v c ) with 0 < v c < 1. 



Using (4) 

Use of CARRAC is applicable £& view C over a range of either k o 

C=nc 2 g{k) /k+r Y c x g{x) 

x-0 

k-1 

+r Y [1 ~x/k] aw 1 ( x ) [w 2 ( x ) -T^w 2 (x) ]. 

xzkv c 


Repairability 

Since we are considering repairs, we must now consider the 
useful time of the subsystem or the mission time, T 0 . Therefore 
p, the probability that a module is good, is a function of T 0 . 
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If we assume that failures occur at random, i. e. exponentially, 
then p =exp (-AT 0 ) , where A is the failure rate. We further 
assume that repairs are equivalent to replacement, i. e., a 
repair to a module will result in a module as good as new. We 
also assume that the time to repair is normally distributed, with 
an estimated mean, /i r and standard deviation o r . 

For all repair situations, analysis has been done in CARRAC by 
means of simulation. For this reason, if you have a situation 
where repair is an option, the analysis to find the optimal 
subsystem may require considerable computer time. The required 
time depends upon both the subsystems being considered and the 
speed of the computer. If you are running the analysis for a 
particular subsystem, e. g., n = 7 and k = 4, the amount of time 
required for simulating repairs is usually quite short, in the 
range of a minute or so. However, if you request a search and 
graphical analysis, then the simulation may require several 
hours. CARRAC also allows you to choose low, medium or high 
resolution for the simulation. High resolution has the most 
accurate results but is also the slowest. Medium and low are 
faster but with correspondingly less accurate results. You might 
consider low resolution for your initial searches and increase 
the resolution as you approach the optimum. 

Repair: models 1 and 2 

The scenarios for models 1 and 2 are identical. Since we are 
using simulation, we have a number of trials. Consider the first 
trial. If we let s be the number of good modules in the 
subsystem at a given time, then s = n at the beginning of the 
mission. If a module fails, then s = n-1. If s < k, then the 
subsystem fails and we incur a cost of rc, (due to the loss of 
the entire subsystem). If s > k ,we initiate repair on the first 
module and a cost of c 6 (the cost of repairing one module) is 
incurred (Again, the amount of time required for repair is a 
normally distributed random variable with mean /i r and standard 
deviation a r ) . If the failed module is repaired before another 
module fails, then our total cost up to this time is c 6 . If 
another module fails before repair is completed on the first 
module, then s = n-2 . If s < k, then the subsystem fails and 

we incur a cost of rc 1 (due to the loss of the entire subsystem) . 
Therefore, our total cost for the first trial is re, + c 6 . If s 
> k, we initiate repair on the second module and incur another 
cost of c 6 . If, throughout the entire mission s > k, then the 
subsystem has not failed and our total cost involves only repair 
costs, the number of failed modules times c 6 . If, however, at 
some time during the mission s < k, the subsystem has failed and 
we incur a cost of rc 1 due to failure of the subsystem. 

Therefore our total cost for the first trial is rc, plus the 
number of failed modules times c 6 . We repeat this a large number 
of times (depending upon the level of resolution chosen) and 
average our costs over all trials. The cost C is given by 
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C = cost of the subsystem + E{cost due to subsystem failure) 

+ E{cost of repair). 

Repair: models 3,4 and 5 

The situation for model 3 differs in that we allow for partial 
failure of the subsystem, according to figure 5. We assume that 
complete failure of the subsystem results in a loss of rc, , 
regardless of the time (into the mission) at which complete 
failure of the subsystem occurs. For model 4 (see fig. 8), we 
assume that the cost of complete failure of the subsystem, rc 1f 
is weighed by the proportion of the mission time over which 
complete failure occurs. For example, if the mission time is 
1000 hours and complete failure of the subsystem occurs at 900 
hours, the cost of complete failure is .1 rc,. 

Let's consider how these costs are calculated. 

If, in the first trial, s > k throughout the entire mission , 
then the subsystem has not failed, even partially, and our total 
cost involves only repair costs. Therefore our total cost for 
the first trial is the number of failed modules times c 6 . If s > 
kv throughout the entire mission , then the subsystem has not 
completely failed and our total cost involves only repair costs 
and the cost due to partial failure (which is weighed by the 
amount of time that the subsystem is in the particular state of 
partial failure) . Therefore our total cost for the first trial 
is the number of failed modules times c 6 plus the costs 
associated with partial failure. If, however, s < kv c at some 
time during the mission , the subsystem has failed and we incur a 
loss due to complete failure of the subsystem. Models 3 and 4 
differ here in the loss assigned to the complete failure of the 
subsystem, E{cost due to subsystem failure). 

For model 3, the loss assigned to complete failure of the 
subsystem is rc.|. Therefore our total cost for the first trial 
is rc, plus the number of failed modules times c 6 plus the costs 
associated with partial failure. We repeat this a large number 
of times and average our costs over all trials. 

For model 4, the loss assigned to complete failure of the 
subsystem is r^ weighed by the proportion of mission time 
remaining. Therefore our total cost for the first trial is rc, 
weighed by the proportion of mission time remaining plus the 
number of failed modules times c 6 plus the costs associated with 
partial failure. We repeat this a large number of times and 
average our costs over all trials. 

Therefore, for either models 3 or 4 , the cost C is given by 

C s cost of the subsystem + E{cost due to subsystem failure) 

+ E(cost of repair) + E{cost due to partial subsystem failure). 
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We remark that, if we allow repairs in model 3 and consider the 
mission time, then models 3 and 5 are identical. 

CARRAC 

It is anticipated that the CARRAC program (written in QuickBASIC) 
will become available in the future through NASA's Computer 
Software Management and Information Center (COSMIC) . 


SUMMARY 

Table 1 contains a summary of the five models which can be 
applied in a redundancy cost analysis. 


Table 1 


Redundancy Cost Models Considered in this Paper 


Model 1 


Model 2 


Model 3 


Model 4 
Model 5 


Simplest cost model. The subsystem consists of n 
modules, of which k are required for success of the 
mission. If less than k modules are good, a loss of c t 
occurs. In model 1, k is fixed. 

Same as model 1 except k may also vary. The 
g (k) cost function is also available to be 
used where increased redundancy brings in 
more (non-linear) cost. . , 

Model 3 expands on models 1 and 2. Linear (or other) 
loss functions are utilized. If less than k modules 
are good, some loss will occur but not necessarily the 
entire loss of c, . The loss which occurs depends upon 
soma critical output fraction v c . 

Model 4 considers time in the loss function. Modules 
in the subsystem fail exponentially with rate A. 

Model 5 handles situations where output fraction below 
v causes a loss which is not time dependent, e.g. , 
manned space missions where loss of a major portion of 
a critical subsystem may cause loss of life. 
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